使用Apache动态添加HttpOnly标志到cookie?
[英]Add HttpOnly flag to cookies on the fly with Apache?
问题描述
So I have a java webapp that uses tomcat with an apache proxy layer. 
所以我有一个java webapp,它使用带有apache代理层的tomcat。 I'm looking to make all cookies set from the app have the httpOnly flag. 我希望从应用程序设置的所有cookie都有httpOnly标志。 The problem with this is that tomcat is responsible for setting the flag from the application side and its default (in servlet api 2.5) is false. 这个问题是tomcat负责从应用程序端设置标志,它的默认值(在servlet api 2.5中)为false。 I was hoping I could set this flag for all cookies on the fly using apache. 我希望我可以使用apache动态设置所有cookie的这个标志。
I've been trying different combinations and the closest I have gotten is setting the last cookie passed to httpOnly which is of course wrong: 我一直在尝试不同的组合,而我最接近的是设置传递给httpOnly的最后一个cookie,这当然是错误的:
Header append Set-Cookie "; HttpOnly"
I have no way of knowing what cookies/values are going to be passed from the app. 我无法知道将从应用程序传递哪些cookie /值。 Is this even possible? 这甚至可能吗?
2 个解决方案
解决方案1
7 2012-07-25 23:30:10
The following mod_headers rewrite has the benefit that it won't duplicate HttpOnly if it's already there, if that sort of thing matters to you: 以下mod_headers重写的好处是,如果它已经存在,它将不会复制HttpOnly ,如果这对你很重要:
Header edit Set-Cookie "(?i)^((?:(?!;\s?HttpOnly).)+)$" "$1; HttpOnly"
See: 看到:
- Where I originally found the above regex 我最初在哪里找到了上面的正则表达式
- An explanation of why all those parentheses with the negative lookahead assertion , search for Finding Lines Containing or Not Containing Certain Words 解释为什么所有这些括号具有负前瞻断言 ,搜索包含或不包含某些单词的查找行
- A post where I found a small improvement to the regex (search for Header edit Set-Cookie) 我发现正则表达式有一点改进的帖子 (搜索Header edit Set-Cookie)
解决方案2
3 已采纳 2011-02-15 07:22:55
尝试以下mod_headers指令。
Header edit Set-Cookie ^(.*)$ $1;HttpOnly
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.